Skip to content

feat: enable HTTPS, OIDC auth, Collabora, ClamAV, and OPA policies#107

Open
suse-coder wants to merge 55 commits into
Tim-herbie:mainfrom
suse-coder:main
Open

feat: enable HTTPS, OIDC auth, Collabora, ClamAV, and OPA policies#107
suse-coder wants to merge 55 commits into
Tim-herbie:mainfrom
suse-coder:main

Conversation

@suse-coder

Copy link
Copy Markdown

Summary

This PR enables a production-ready HTTPS deployment with OIDC authentication, document collaboration, virus scanning, and security policies.

Key Changes

🔐 HTTPS & TLS

  • Enable TLS termination via cilium-gateway
  • Configure all services with HTTPS URLs
  • Add HTTP→HTTPS redirect HTTPRoutes for all services
  • Update CSP to use HTTPS URLs
  • Fix config.json to use HTTPS scheme

🔑 OIDC Authentication (Keycloak)

  • Configure Keycloak OIDC with proper redirect URIs
  • Add all required scopes (openid, profile, email, groups, roles)
  • Fix roles mapper to use flat claim name
  • Deploy Keycloak HTTPRoutes in keycloak namespace
  • Enable KC_PROXY=edge for proper HTTPS handling

📄 Document Collaboration (Collabora)

  • Enable Collabora with proper WOPI configuration
  • Fix jail security warnings:
    • Add child_root_path and cache_files.path configuration
    • Set security.capabilities=false
    • Configure proper securityContext (runAsNonRoot, drop ALL capabilities)
    • Add emptyDir volumes for coolwsd-child-roots and coolwsd-cache
  • Add HTTPRoute with proper section names matching gateway listeners

🦠 Virus Scanning (ClamAV)

  • Enable ClamAV virus scanning
  • Configure infected file handling (abort on detection)
  • Set scanner socket to tcp://clamav.clamav.svc.cluster.local:3310

🛡️ Security Policies (OPA)

  • Enable OPA policies for file type restrictions
  • Restrict executable file extensions (.exe, .dll, .msi, etc.)
  • Restrict dangerous MIME types

🌐 HTTPRoutes & Gateway

  • Add HTTP→HTTPS redirect routes for all services
  • Use proper section names matching cilium-gateway listeners:
    • opencloud-proxy-http/https
    • opencloud-keycloak-http/https
    • opencloud-collabora-http/https
    • opencloud-wopi-http/https
  • Deploy Keycloak routes in keycloak namespace (no cross-namespace refs)

📚 Documentation

  • Update README with helmfile sync installation method
  • Update NOTES.txt with HTTPS URLs and enabled features
  • Update prerequisites for Kubernetes 1.33+ and Gateway API
  • Add enabled features checklist

Storage

  • Use ceph-cephfs StorageClass with RWX access mode
  • Dynamic provisioning for persistent volumes

Testing

  • Verified HTTPS access to all services
  • Verified OIDC login flow with Keycloak
  • Verified Collabora document editing
  • Verified ClamAV virus scanning
  • Verified OPA policy enforcement
  • Verified HTTP→HTTPS redirects

suse-coder added 12 commits June 6, 2026 12:22
Add helmfile.yaml composing OpenCloud + Keycloak + OpenLDAP + ClamAV
as separate charts, based on SOURCE helmfile.yaml (564 lines).

Releases:
- opencloud-secrets: shared OIDC, LDAP bind, and S3 credentials
- keycloak: bitnami/keycloak v24.3.0 with auto-imported openCloud realm
- openldap: osixia/openldap with custom schema + LDIF (users/groups)
- clamav: wiremind/clamav v3.7.1 with 2 replicas
- opencloud: monolithic chart with full SOURCE configuration

Configuration sections from SOURCE helmfile:
- Logging, external domain, ingress/gateway
- OIDC/external user management (claims, role assignment, LDAP)
- Secret refs, insecure settings
- Quotas, antivirus, SMTP
- OPA Rego policies (proxy, postprocessing, utils)
- Apps integration (WOPI with Collabora + OnlyOffice)
- Web extensions (6 init containers)

Migration plan reference: Phase 0, Task 0.2
Add 9 unit tests verifying external OIDC and LDAP configuration:
- OC_OIDC_ISSUER set from external issuer URL
- WEB_OIDC_METADATA_URL derived from issuer URL
- Keycloak deployment disabled when oidc.enabled=false
- Keycloak deployment created when oidc.enabled=true
- LDAP bind passwords use internal IDM secrets by default (documents gap)
- S3 credentials reference when decomposeds3 is used
- External user management with admin UUID
- LDAP connection configuration for external user management

Test results: 6 suites, 24 tests, all passing.
Note: LDAP bind secret tests document a gap to be fixed in Phase 1
(external ldap-bind-secrets not yet supported in deployment template).

Migration plan reference: Phase 0, Task 0.4
BREAKING CHANGE: Integrated Keycloak and PostgreSQL deployments removed.
OpenCloud now requires an external OIDC provider (e.g., Keycloak deployed
separately via helmfile).

Changes:
- Remove templates/keycloak/ directory (7 files)
- Remove templates/postgres/ directory (4 files)
- Remove files/keycloak/ directory (realm template, entrypoint script)
- Update values.yaml: replace oidc.enabled/external with direct oidc.issuerUrl/clientId
- Remove postgres section from values.yaml
- Update _helpers/tpl.yaml: simplify OIDC helpers, remove keycloak/postgres helpers
- Update deployment.yaml: use oidc.issuerUrl directly instead of oidc.enabled/external
- Update gateway.yaml: remove Keycloak listener
- Update NOTES.txt: remove Keycloak/PostgreSQL references
- Update tests: remove Keycloak HTTPRoute/Ingress tests, update OIDC tests

Migration: Users must deploy Keycloak separately (e.g., bitnami/keycloak via helmfile)
and configure oidc.issuerUrl and oidc.clientId in values.yaml.

Test results: 6 suites, 23 tests, all passing.

Migration plan reference: Phase 1, Task 1.0
Add Timoni bundles for deploying OpenCloud and dependencies via FluxCD:

opencloud bundle:
- opencloud.cue: main bundle definition for monolithic chart
- runtime.cue: runtime values from ConfigMap/Secrets
- configmap.yaml: OpenCloud configuration
- secret.yaml: OIDC, LDAP bind, S3 credentials
- sa.yaml: Flux ServiceAccount + RBAC

openldap bundle (osixia/openldap):
- openldap.cue: bundle with custom LDIF + OpenCloud schema
- runtime.cue: runtime values from ConfigMap/Secrets
- configmap.yaml: LDAP configuration
- secret.yaml: admin credentials
- sa.yaml: Flux ServiceAccount + RBAC

clamav bundle (wiremind/clamav):
- clamav.cue: bundle with HA config (2 replicas, PDB, topology spread)
- runtime.cue: runtime values from ConfigMap
- configmap.yaml: ClamAV configuration
- sa.yaml: Flux ServiceAccount + RBAC (via service-account instance)

Includes README.md with install/upgrade instructions.

Test results: 6 suites, 23 tests, all passing.

Migration plan reference: Phase 1, Task 1.2
Add antivirus scanning configuration to support ClamAV or ICAP scanners:

values.yaml:
- opencloud.antivirus.enabled: enable/disable scanning
- opencloud.antivirus.infectedFileHandling: abort/continue/delete
- opencloud.antivirus.scannerType: clamav or icap
- opencloud.antivirus.clamavSocket: ClamAV socket endpoint
- opencloud.antivirus.icapUrl: ICAP server URL
- opencloud.antivirus.icapService: ICAP service name

deployment.yaml:
- ANTIVIRUS_ENABLED, ANTIVIRUS_SCANNER_TYPE env vars
- ANTIVIRUS_INFECTED_FILE_HANDLING env var
- ANTIVIRUS_CLAMAV_SOCKET (when scannerType=clamav)
- ANTIVIRUS_ICAP_URL, ANTIVIRUS_ICAP_SERVICE (when scannerType=icap)

tests/antivirus_test.yaml:
- 8 unit tests covering all antivirus configurations
- Tests for clamav scanner type
- Tests for icap scanner type
- Tests for infected file handling options

Test results: 7 suites, 31 tests, all passing.

Migration plan reference: Phase 2, Tasks 2.1-2.3
Add support for explicit storage driver selection for user files:

values.yaml:
- opencloud.storage.usersDriver: explicit driver selection
  - decomposeds3 (default when mode=s3)
  - posix (default when mode=posixfs)
  - decomposed (metadata only, no blob storage)
- If usersDriver is not set, derives from mode field

deployment.yaml:
- Updated STORAGE_USERS_DRIVER to use explicit usersDriver if set
- Falls back to mode-based selection if usersDriver is empty

tests/storage_test.yaml:
- 9 unit tests covering all storage driver configurations
- Tests for default behavior (mode-based)
- Tests for explicit driver override
- Tests for posixfs and s3 configurations

Test results: 8 suites, 40 tests, all passing.

Migration plan reference: Phase 3, Tasks 3.1-3.3
…k 4.1-4.2)

Add comprehensive JSON Schema for values.yaml validation:
- Global settings (domain, TLS, image)
- OIDC configuration (issuerUrl, clientId, CORS)
- Secret references (LDAP, S3)
- Features (external user management, virusscan, email)
- OpenCloud settings (replicas, logLevel, storage, NATS, SMTP, antivirus)
- HTTPRoute and Ingress configuration
- Collabora settings

Schema validates:
- Required formats (hostname, uri, uuid)
- Enum values (logLevel, storage drivers, access modes, etc.)
- Type constraints (boolean, integer, string)

Test results: Schema validation working correctly.

Migration plan reference: Phase 4, Tasks 4.1-4.2
Add mutual exclusion assertion and comprehensive Collabora tests:

deployment.yaml:
- Add mutual exclusion check: fails if both internal and external Collabora enabled
- WOPI proof key generation already present (coolconfig generate-proof-key)

tests/collabora_test.yaml:
- 10 unit tests covering all Collabora configurations
- Tests for mutual exclusion (internal vs external)
- Tests for WOPI proof key generation
- Tests for WOPI alias group configuration
- Tests for SSL configuration (enabled/disabled)
- Tests for MKNOD capability
- Tests for liveness and readiness probes

Test results: 9 suites, 50 tests, all passing.

Migration plan reference: Phase 5, Tasks 5.1-5.3
…hase 6)

- Add ServiceMonitor template for Prometheus monitoring
- Add extra-resources template for arbitrary K8s resources
- Add custom CA chain helper for inter-service TLS
- Add OPA Rego policies ConfigMap for file/MIME restrictions
- Add monitoring, extraResources, customCA, and policies sections to values.yaml
- Add comprehensive tests for all new features (monitoring_test.yaml)
- Fix ingress section indentation in values.yaml

All 60 tests pass across 10 test suites.
- Enable HTTPS with TLS termination via cilium-gateway
- Configure Keycloak OIDC with proper redirect URIs and scopes
- Add HTTP→HTTPS redirect routes for all services
- Enable Collabora with jail security fixes (child_root_path, capabilities)
- Enable ClamAV virus scanning with infected file handling
- Enable OPA policies for file type restrictions
- Fix CSP to use HTTPS URLs
- Update config.json to use HTTPS scheme
- Add proper section names for all HTTPRoutes matching gateway listeners
- Replace helm install with helmfile sync in Quick Start
- Update prerequisites to mention Gateway API compatible ingress
- Update component list (ClamAV, OPA, OpenLDAP instead of MinIO)
- Update NOTES.txt with HTTPS URLs instead of port-forward
- Update storage section to reflect ceph-cephfs RWX
- Add enabled features section to NOTES.txt
- Update production readiness checklist
- Update component list (OpenLDAP, ClamAV instead of PostgreSQL, MinIO)
- Add helmfile sync as primary installation method
- Update prerequisites for Kubernetes 1.33+ and Gateway API
- Update installation examples with correct gateway section names
@suse-coder

Copy link
Copy Markdown
Author

Do you know if "{"level":"error","service":"storage-users","host.name":"opencloud-opencloud-6f8488f87b-g47fb","pkg":"rgrpc","driver":"posix","error":"error: not found: record not found in cache","path":"/var/lib/opencloud/storage/metadata/spaces/f1/bdd61a-da7c-49fc-8203-0558109d1b4f/nodes/3b","time":"2026-06-06T20:49:12Z","line":"github.com/opencloud-eu/reva/v2@v2.46.2-0.20260602061404-0e975e5456eb/pkg/storage/fs/posix/tree/assimilation.go:991","message":"could not get ids for path"}
{"level":"error","service":"storage-users","host.name":"opencloud-opencloud-6f8488f87b-g47fb","pkg":"rgrpc","driver":"posix","error":"error: not found: record not found in cache","path":"/var/lib/opencloud/storage/metadata/spaces/f1/bdd61a-da7c-49fc-8203-0558109d1b4f/nodes/78/1a","time":"2026-06-06T20:49:12Z","line":"github.com/opencloud-eu/reva/v2@v2.46.2-0.20260602061404-0e975e5456eb/pkg/storage/fs/posix/tree/assimilation.go:991","message":"could not get ids for path"}
"
in opencode pod

is normal I guess you had that also

suse-coder added 11 commits June 6, 2026 20:52
…ncloud.eu to CSP

- Add frontendCheckForUpdates value (default: false) to disable update checks
- Make FRONTEND_CHECK_FOR_UPDATES environment variable configurable via values
- Add https://update.opencloud.eu/ to CSP connect-src to allow update checks when enabled
- Update helmfile to disable update checks by default
- Enable TLS, posixfs storage with RWX access mode
- Enable antivirus (ClamAV), OPA policies, Collabora
- Add httpRoute gateway sectionName configuration
- Add frontendCheckForUpdates setting
- Update runtime.cue, opencloud.cue, and configmap.yaml
- Second instance uses opencloud2.test domains
- Shares Keycloak and OpenLDAP with first instance
- Uses opencloud2 sectionName for HTTPRoute
- Commented out by default, uncomment to deploy
- Comment out opencloud2 instance in helmfile (multi-tenant example)
- Remove unused OIDC credentials from Timoni secret.yaml
- Update NOTES.txt to remove Keycloak section when OIDC is configured
- Make deployment strategy conditional on RWX access mode
- Add decomposed driver configuration in values.yaml
- Add STORAGE_USERS_OC_MAX_CONCURRENCY env var for decomposed driver
- Support decomposed driver in deployment template alongside posixfs and decomposeds3
- Add decomposed object with maxConcurrency property to storage schema
…ction

- Add warning about CephFS snapshot/clone issues with posixfs mode
- Recommend decomposed driver as alternative for CephFS environments
- Add decomposed storage settings table to README
- Add conditional warning in NOTES.txt when posixfs is used
- Add decomposed storage mode to values.yaml and schema
- Implement decomposed PVC, volume mount, and strategy logic
- Update deployment template to support decomposed driver
- Add CephFS backup warning for posixfs mode
- Update helmfile with decomposedfs configuration
- Add data PVC size configuration to helmfile
- Update README with decomposed storage settings
- Add conditional warning in NOTES.txt for posixfs + CephFS
- Update Chart.yaml version from 2.4.3 to 2.4.4
- Keep 2.4.3 entry in version table, add 2.4.4
- Update Timoni deployment version references
@Tim-herbie

Copy link
Copy Markdown
Owner

You deploy opencloud and all the stuff with helmfile and not with helm or?

@suse-coder

suse-coder commented Jun 7, 2026

Copy link
Copy Markdown
Author

You deploy opencloud and all the stuff with helmfile and not with helm or?

Yes for testing I just run the helmfile. For Prod I use timoni (and in the future kind: HelmChart).
I deploy it with timoni (flux-helm-release adapter for helm) with fluxcd.

@suse-coder

suse-coder commented Jun 7, 2026

Copy link
Copy Markdown
Author

But I think the future is going away from helmfiles -> to yaml based HelmRepositories and HelmCharts (multiple yaml) from https://fluxoperator.dev/docs/charts/flux-operator/

---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmChart
metadata:
  name: podinfo
  namespace: default
spec:
  interval: 5m0s
  chart: podinfo
  reconcileStrategy: ChartVersion
  sourceRef:
    kind: HelmRepository
    name: podinfo
  version: '5.*'

I wanted to try it out, yet not had time for it. But it is how to do it right (if one is not using timoni).

# redis-repo.yaml
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
  name: bitnami
  namespace: default
spec:
  interval: 1h
  url: https://charts.bitnami.com/bitnami
  

@Tim-herbie

Copy link
Copy Markdown
Owner

Yeah I use the helmrepository and helmrelease already with e.g.:

apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
  name: opencloud-github
  namespace: flux-system
spec:
  type: oci
  interval: 5m
  url: oci://ghcr.io/tim-herbie/opencloud-helm
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: opencloud
  namespace: opencloud
spec:
  releaseName: opencloud
  interval: 5m
  chart:
    spec:
      chart: opencloud
      sourceRef:
        kind: HelmRepository
        name: opencloud-github
        namespace: flux-system
      version: "2.4.3"
  values:

    global:
      domain:
        oidc: keycloak.demo.de
        opencloud: opencloud.demo.de
        wopi: wopiserver.demo.de
        collabora: collabora.demo.de
        onlyoffice: onlyoffice.demo.de
        companion: companion.demo.de
      
    oidc:
      enabled: false
      external:
        issuerUrl: "https://keycloak.demo.de/realms/master"
        clientId: "web"
        realm: "master"

    postgres:
      enabled: false

    opencloud:
      enabled: true
      replicas: 1
      logLevel: "warn"
      enableBasicAuth: false
      
      persistence:
        config:
          enabled: true
          size: 5Gi
          accessMode: ReadWriteMany
        data:
          enabled: true
          size: 10Gi
          accessMode: ReadWriteMany
       
      resources:
        requests:
          cpu: "250m"
          memory: "512Mi"
        limits:
          cpu: "1000m"
          memory: "2Gi"
      storage:
        s3:
          enabled: false
          external:
            endpoint: "https://s3.de.io.cloud.ovh.net"
            region: "de"
            existingSecret: "opencloud-s3-credentials"
            bucket: "rke2ciliumopencloud"
      env:
        - name: GRAPH_LDAP_SERVER_WRITE_ENABLED
          value: "true"
        - name: "PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD"
          value: "none"

    httpRoute:
      enabled: true
      
      gateway:
        name: cilium-gateway-external
        className: cilium
        namespace: "kube-system"
        sectionName: https-demo

I think this is also better than using Timoni. I would prefer to use YAML-based files; however, I'm generally more of a fan of JSON, especially for tools like Terraform.

@Tim-herbie

Copy link
Copy Markdown
Owner

FYI: I am on vacation right now . We can discuss a little bit here, but I can´t review such a big pr for the next 1-2 weeks right now.

@suse-coder

Copy link
Copy Markdown
Author

FYI: I am on vacation right now . We can discuss a little bit here, but I can´t review such a big pr for the next 1-2 weeks right now.

good holiday

@suse-coder

Copy link
Copy Markdown
Author

@Tim-herbie

Copy link
Copy Markdown
Owner

@suse-coder I’m open to using a different Tika image.

Looking at this PR, how should we proceed? As discussed, we don’t want to introduce Helmfile or Timoni.

What would be the best next step from your perspective?

renovate Bot and others added 23 commits June 26, 2026 11:12
…g to v7.2.0 (opencloud-eu#109)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…loud-eu#104)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
- Replace helm install with helmfile sync in Quick Start
- Update prerequisites to mention Gateway API compatible ingress
- Update component list (ClamAV, OPA, OpenLDAP instead of MinIO)
- Update NOTES.txt with HTTPS URLs instead of port-forward
- Update storage section to reflect ceph-cephfs RWX
- Add enabled features section to NOTES.txt
- Update production readiness checklist
…6); add full realm import with groups clientScope and admin UUID for autoprovisioning
- Remove deployments/helm (helmfile), deployments/timoni bundles, and the
  old deployments/flux (per-component -rset.yaml shards).
- Rename deployments/flux-2 -> deployments/flux so a single directory holds
  the self-contained FluxCD HelmReleases (keycloak + postgres, openldap,
  clamav, opencloud, collabora) plus inline realm import / database config /
  HTTPRoutes. Apply with one kubectl apply -f per component dir.
- README Quick Start now documents the single-cli flux apply flow instead
  of the removed helmfile sync.
- templates/minio/httproute.yaml: add the missing ${prefix}-minio-http
  redirect HTTPRoute alongside the existing HTTPS route, mirroring the
  collabora / collaboration / opencloud templates.
- templates/gateway/gateway.yaml: rename listeners to ${sectionName}-
  <service>-<proto> (opencloud-proxy-http, opencloud-keycloak-http,
  opencloud-wopi-http, opencloud-collabora-http, opencloud-minio-http) so
  the chart's self-provisioned gateway matches the sectionName the
  httproute templates attach to. Add port: 80 explicitly (was variable).
- deployments/flux/opencloud/opencloud.yaml: switch the chart GitRepository
  to suse-coder/helm-1 (where this fix lives) as 'opencloud-helm' and set
  httpRoute.gateway.sectionName: opencloud so the chart's HTTPRoutes bind
  to the matching listeners on the cluster's external cilium-gateway.
…ecret

New chart template reads .Values.opencloud.ldap.secretRef (not the legacy
secretRefs.ldapSecretRef path) for the LDAP bind password keys
(reva-ldap-bind-password / graph-ldap-bind-password). Without this the
opencloud container fails CreateContainerConfigError:
secret "opencloud-opencloud-ldap" not found.

Also update charts/opencloud/README.md: replace the removed helmfile sync
Quick Start with the FluxCD kubectl apply -f deployments/flux/... flow.
…econcile

Replace the per-file kubectl apply/delete lists with the single
kubectl apply -R -f charts/opencloud/deployments/flux/ command
(recurses all component subdirs in one shot). Add the matching
delete -R one-liner and a flux reconcile loop covering all
HelmReleases across namespaces.
When kubectl delete removes the HelmRelease CRs, Flux's helm-controller
runs helm uninstall for each, cascading the chart-rendered Deployments /
Services / ConfigMaps / HTTPRoutes / Secrets. The keycloak/openldap/clamav
YAMLs also embed their Namespace manifest so those cascade; the opencloud
namespace is not declared in opencloud.yaml so it must be deleted
explicitly. PVCs are retained by Helm to preserve data — delete them
manually for a clean slate.
The keycloak/openldap/clamav flux manifests embed their Namespace so
kubectl apply -R works on a fresh cluster. opencloud.yaml was the odd
one out — it created HelmReleases/Secrets in the opencloud namespace
without declaring it, so 'kubectl apply -R -f deployments/flux/' failed
with 'namespaces opencloud not found' on a clean cluster.
…mmented

Switch the flux opencloud HelmRelease default from S3+MinIO to the
decomposed (PVC-backed) storage driver, matching the working /helm
chart which uses storageusers.storageBackend.driver: posix.

- opencloud.yaml: set opencloud.storage.mode: decomposed with a 60Gi
  PVC (ReadWriteOnce). Keep the s3/MinIO block and the
  secretRefs.s3CredentialsSecretRef line as commented-out references
  so switching back to S3 is a one-block uncomment.
- secrets.yaml: comment out the s3secret Secret (no longer needed by
  default). Uncomment together with the s3 block in opencloud.yaml.
- minio: no longer deployed (chart's minio templates gate on
  storage.mode == s3 && storage.s3.enabled).
…comment RWX option in flux opencloud.yaml

- opencloud.yaml: add commented-out 'accessMode: ReadWriteMany' under
  decomposed.persistence so switching to RWX (multi-replica RollingUpdate)
  is a one-line uncomment.
- charts/opencloud/README.md: add a 'Choosing a storage backend' table
  covering all four configs (decomposed default, decomposed+RWX, bundled
  S3/MinIO, external S3) with the exact YAML edits needed for each switch,
  and a warning about the PVC access mode -> rollout strategy coupling.
The OpenCloud web frontend is served at https://cloud.opencloud.test (TLS
terminated at the Cilium Gateway). With global.tls.enabled=false the chart
rendered config.json with "server": "http://cloud.opencloud.test",
which made the browser block every sub-resource fetch (theme.json,
remoteEntry-*.mjs, /capabilities, etc.) as mixed content / CSP violation,
producing 'Missing or invalid config' plus a cascade of Failed to fetch
errors in the browser console. Setting global.tls.enabled=true makes
files/opencloud/config.json.gotmpl emit https:// for the server URL,
matching the actual scheme the browser sees.
The chart template gates all PROXY_OIDC_* / WEB_OIDC_* / OC_OIDC_ISSUER
env vars on {{- if .Values.oidc.issuerUrl }}. Without issuerUrl set,
the proxy has no OIDC issuer configured and returns 502 Bad Gateway on
/.well-known/openid-configuration (logs: 'unsupported protocol scheme'
+ 'could not select service eu.opencloud.web.idp from the registry').

The old oidc.enabled + oidc.external block was dead config from the
legacy bundled-keycloak era — the chart never reads those fields.
Replace with the flat oidc.issuerUrl / oidc.clientId that the chart's
_helpers 'opencloud.oidc.issuer' template actually consumes.
…cure

Chart defaults both to false, but keycloak.opencloud.test is served
over HTTPS with a Cilium-terminated cert (self-signed CA internally),
so the opencloud proxy fails TLS verification and returns 502 on
/.well-known/openid-configuration. The working /helm helmfile sets
both to true, matching this deployment's TLS topology.
@suse-coder

Copy link
Copy Markdown
Author

@Tim-herbie can be merged now. works also with tika. have timoni replaces with bare helmreleases.

suse-coder added 3 commits June 29, 2026 10:33
The tika deployment hardcoded JAVA_OPTS=-Xmx3g, which pinned the JVM
heap to 3 GiB regardless of the container memory limit. With tika 3.x
on a JVM 21 runtime the heap auto-sizes from cgroup limits when no
-Xmx is set, matching the opencloud-compose baseline. Expose env via
.tika.env (default empty) so users can override JAVA_OPTS or add
per-parse timeout sysprops (e.g. tika.server.forkedProcessTimeoutMillis)
without forking the template.
Aligns tika requests with the deployed pod's actual usage; limits stay
at 4 CPU / 10Gi so transient parsing spikes remain unconstrained.
@suse-coder

Copy link
Copy Markdown
Author

@Tim-herbie Guess you are still on holiday. But it can be merged if you are ready.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants